Spectre, Meltdown and the Cloud

Though it’s passed a little below the radar in the mainstream media, for several weeks now the tech world has been abuzz with one of the most widespread security breaches the industry has ever known. It turns out that for years now, several chipmakers have been putting out processors with vulnerabilities, named Spectre and Meltdown.

These vulnerabilities leave any computers using these processors, e.g. pretty much all of them, vulnerable to attack by cybercriminals. Though fixes seem to be on the horizon, deploying the fixes will be a gargantuan task as the devices affected range from desktops, to laptops, to tablets, to phones and, maybe worst of all, servers, the lifeblood of the internet and the cloud.

This last group is of course of particular interest to us here at Cloudwards.net (the hint is in the name). In this article we’re going to be looking at the possible repercussions Spectre and Meltdown will have on cloud computing, including some of our best cloud storage providers as well as a few more general observations.

Discovering Meltdown

As always the trailblazers, the story of a possible security-breaking flaw, Meltdown, in Intel chipsets — only the appropriately dubbed Chipzilla was at first suspected — was first published by The Register on January 2nd, 2018. That story, in turn, was based off of the work of Google’s Project Zero, the company’s security thinktank.

Without descending too far into technobabble, when a computer does something it does so using its processor. A task is shifted from the processor to the kernel, which acts a bit like a cop moving traffic around. The vulnerabilities discovered disrupt that process on the one hand, slowing it down, while also conceivably allowing a third party to take a look-see at the kernel’s memory.

The slowdowns are one thing, and fairly disastrous if you consider the millions of teraflops a server’s processor needs to move around in a nanosecond, but the ability for third parties to maybe take a look at the kernel’s memory is very, very bad news, indeed.

While moving data around, the kernel stores some of the information it receives. This means that things ranging from your slashfic to those nude pictures of your ex (dude, move on) to your banking data could possibly be retrieved by third parties if they got access to your computer. Or, again, a server processing tons of data.

This means that a server that has been broken into could have all the data stored in its kernel memory exposed. As some of the servers of, say, our best web hosting providers, host thousands of websites, this could mean that cybercriminals could have access to whole chunks of the internet.

A Feature, Not a Bug

As it turns out, chips with this flaw have been turned out for close to 20 years now. Though the specifics are kept a bit vague and highly technical, most likely in an attempt to foil would-be hackers, what it boils down to is that the vulnerabilities lie in the design of the chips.

This means that it’s not really a flaw: it’s a design feature that has exploded in the makers’ faces. It’s just that until Project Zero (as well as some independent researchers, it should be noted) discovered it, it had escaped all notice. For two decades.

This is where the story gets a little murky: it turns out, as you can read in this excellent but very long piece published by The Verge, that engineers at Intel already knew about it sometime in early December, 2017. The company, together with other major industry players, had put a security embargo on the reports, however, to make sure that nobody would be able to exploit the flaw before a patch was found.

This may seem like common sense at first, but, as U.S. lawmakers have noted, this worked in the favor of the big players in techland, leaving smaller ones to fend for themselves while the behemoths figured out what to do.

Also, what these big players have come up with is slightly underwhelming. All the fixes for either Spectre or Meltdown considerably slow down affected devices (again, pretty much all of them). The only fix that keeps your speeds up involve getting a new CPU, but here’s the catch: there aren’t any.

Though at first only Intel chips were suspected (and only Meltdown was in the picture), it quickly turned out that other manufacturers had built processors on the same specs and that there was another problem, too, which was dubbed Spectre.

Apple is also affected, as Apple chips are, for all intents and purposes, Intel chips. ARM (likely responsible for making the chips in your mobile device as well as IoT devices) and AMD (Chipzilla’s main competitor, though a bit player compared to it) are also vulnerable, though AMD only to Spectre.

That’s a good-news, bad-news situation for AMD customers: Spectre is harder to exploit, but harder to fix, too. Though again we want to go light on the technobabble (there’s a full report on Spectre for those interested), Spectre allows hackers to trick programs into divulging their secrets. In an odd twist of fate, most security protocols actually make Spectre easier to exploit, adding to the fun for people looking for a patch.

How the Cloud Is Affected by Spectre and Meltdown

With Meltdown affecting everything Intel going back decades as well as some ARM processors, and Spectre affecting, well, everything, the industry has gone in full overdrive putting together patches. At time of writing most computer systems have some kind of protections up (though not everyone is happy with the progress made).

So far, personal systems as well as some business ones are protected, or at least enough while bigger fixes are thought up. The same goes for cloud systems, but there are some more serious worries there. This has to do with the fact that more users make systems more susceptible to attack anyway, especially if they’re in the cloud where, theoretically, anyone can access them.

Another problem is that security risks in the cloud are a bigger deal than on a personal computer simply because servers have a lot more data run through them. Since most websites run on servers that host many other sites, a vulnerability in one is a vulnerability for all.

A third problem is that, because cloud systems are out there and need to be accessed by many people simultaneously (like with VPS hosting), the slowdowns that the current patches bring are a big problem. One example was a recent report in which game company Epic Games blamed some very bad lag issues its players experienced on the Meltdown patch.

The takeaway from all this is that cloud companies have an interesting few months or even years ahead of them as successive patches are rolled out. What exactly the repercussions will be for consumers is still unclear, but slowdowns are definitely part of the picture.

How do you think Spectre and Meltdown will affect the cloud? Are you particularly worried? Please share your thoughts in the comments below and, as always, thanks for reading.